Jim Manico @ AllAroundTheWorld · Mar 31, 2023 · 9:57 PM UTC

Jim Manico @ AllAroundTheWorld

Jim Manico @ AllAroundTheWorld @manicode

Mar 31

How do you safely do this? HTTPS://site.com/data/ + protect(untrusted); URL encoding is not the answer, it still allows path traversal. Base64 encoding is not the answer, the + and / characters, legal in base64, can skew a URL.

Aaron Parecki · Mar 31, 2023 · 10:48 PM UTC

Aaron Parecki @aaronpk

Mar 31

what kind of protection? A JWT could work there, it uses only URL safe characters, and is integrity protected. If you don't need integrity protection then just URL safe Base64 I guess

Jim Manico @ AllAroundTheWorld · Mar 31, 2023 · 10:50 PM UTC

Jim Manico @ AllAroundTheWorld @manicode

Mar 31

SafeBase64 protects against path traversal or path manipulation where urlencoding and normal Base64 do not!

Aaron Parecki · Mar 31, 2023 · 11:00 PM UTC

Aaron Parecki · Mar 31, 2023 · 11:00 PM UTC

Aaron Parecki @aaronpk

Mar 31

Replying to @manicode

Ultimately the question is where does the untrusted data come from and how is it used, because URL-safe-base64-encoding a "../" will just decode to "../" on the other side.

Mar 31, 2023 · 11:00 PM UTC

Jim Manico @ AllAroundTheWorld · Mar 31, 2023 · 11:01 PM UTC

Jim Manico @ AllAroundTheWorld @manicode

Mar 31

Replying to @aaronpk

Most important use cases are sending data to a server that is added to a path for a REST request, SSRF weakness. Also, building dynamic URL’s in templates and web Ui’s.

Jim Manico @ AllAroundTheWorld · Mar 31, 2023 · 11:16 PM UTC

Jim Manico @ AllAroundTheWorld @manicode

Mar 31

Replying to @aaronpk

Just looking for safely at time of url construction. Extraction, decoding and reuse in another url will require additional encoding.